Senator McConnell Seeks Data Hub Security Guarantees From CMS

In a letter to CMS Administrator Marilyn Tavenner, Senate Republican Leader Mitch McConnell (R-KY) expressed his concern regarding the security of personal data on the federal services data hub. McConnell stated his continuing opposition to the Patient Protection and Affordable Care Act (PPACA) (P.L. 111-148), but said that Americans ought to be assured that their personal and financial data will be safe from hackers and cyber criminals under any circumstances.

Hub Security

The Hub is intended to support PPACA’s health insurance exchanges, state-based competitive marketplaces where individuals and small businesses will be able to purchase private health insurance. The Hub will not store any data, but will provide a single point for exchanges to access data from different sources, including federal agencies. The Office of the Inspector General (OIG) recently published a report on its observations of CMS’s implementation of the Hub and ensuring that there are adequate security measures. McConnell noted his concern that CMS has missed testing, reporting, and remediating data security risks deadlines. He questioned whether there will be enough time for CMS to fix problems following a scheduled final security control assessment. Although CMS stated in comments to the OIG’s draft report that it is confident the Hub will be operationally secure before the open enrollment period begins on October 1, 2013, the report cautioned that additional delays in security testing could result in CMS relying on incomplete information for safety authorization. McConnell asked CMS to delay opening the exchanges until their security can be guaranteed by the Inspector General, and also for public assurance that the Hub’s readiness will not be certified under pressure or before it is ready.

Contractor Confidence

In the letter, McConnell expressed his concern that CMS awarded a contract to Serco Inc. (Serco) to receive, sort, and evaluate applications for financial assistance in the exchanges. In 2012, the Federal Retirement Thrift Investment Board reported that a cyber attack on a Serco computer resulted in the unauthorized access of over 120,000 federal employees’ personal information. McConnell referenced the attack and requested that CMS guarantee that Serco will protect taxpayer information better than it protected federal employee information. The letter concluded by stating that if CMS rushes forward without adequate safeguards, any theft of constituents’ personal information is the result of implementing a law to meet political needs, rather than operational needs of the American people.